[Tuning] Connection to Commonly Abused Web Services (#3425)

* Update command_and_control_common_webservices.toml * Update command_and_control_common_webservices.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2024-04-02 14:41:10 +01:00
parent f025616cbd
commit 69173872da
1 changed files with 64 additions and 17 deletions
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/03/28"
+updated_date = "2024/02/04"

 [transform]
 [[transform.osquery]]
@@ -142,21 +142,25 @@ network where host.os.type == "windows" and network.protocol == "dns" and
    process.name != null and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
    /* Add new WebSvc domains here */
    dns.question.name :
-    (
+       (
        "raw.githubusercontent.*",
-        "*.pastebin.*",
-        "*drive.google.*",
-        "*docs.live.*",
-        "*api.dropboxapi.*",
-        "*dropboxusercontent.*",
-        "*onedrive.*",
-        "*4shared.*",
-        "*.file.io",
-        "*filebin.net",
-        "*slack-files.com",
-        "*ghostbin.*",
-        "*ngrok.*",
-        "*portmap.*",
+        "github.com",
+        "pastebin.*",
+        "paste4btc.com",
+        "paste.ee",
+        "ghostbin.com",
+        "drive.google.com",
+        "?.docs.live.net",
+        "api.dropboxapi.*",
+        "content.dropboxapi.*",
+        "dl.dropboxusercontent.*",
+        "api.onedrive.com",
+        "*.onedrive.org",
+        "onedrive.live.com",
+        "filebin.net",
+        "*.ngrok.io",
+        "ngrok.com",
+        "*.portmap.*",
        "*serveo.net",
        "*localtunnel.me",
        "*pagekite.me",
@@ -167,12 +171,55 @@ network where host.os.type == "windows" and network.protocol == "dns" and
        "zerobin.net",
        "controlc.com",
        "requestbin.net",
+        "slack.com",
+        "api.slack.com",
+        "slack-redir.net",
+        "slack-files.com",
        "cdn.discordapp.com",
        "discordapp.com",
        "discord.com",
+        "apis.azureedge.net",
+        "cdn.sql.gg",
+        "?.top4top.io",
+        "top4top.io",
+        "www.uplooder.net",
+        "*.cdnmegafiles.com",
+        "transfer.sh",
+        "gofile.io",
+        "updates.peer2profit.com",
+        "api.telegram.org",
+        "t.me",
+        "meacz.gq",
+        "rwrd.org",
+        "*.publicvm.com",
+        "*.blogspot.com",
+        "api.mylnikov.org",
+        "file.io",
+        "stackoverflow.com",
+        "*files.1drv.com",
+        "api.anonfile.com",
+        "*hosting-profi.de",
+        "ipbase.com",
+        "ipfs.io",
+        "*up.freeo*.space",
+        "api.mylnikov.org",
        "script.google.com",
-        "script.googleusercontent.com"
-    ) and
+        "script.googleusercontent.com",
+        "api.notion.com",
+        "graph.microsoft.com",
+        "*.sharepoint.com",
+        "mbasic.facebook.com",
+        "login.live.com",
+        "api.gofile.io",
+        "api.anonfiles.com",
+        "api.notion.com",
+        "api.trello.com",
+        "gist.githubusercontent.com",
+        "files.pythonhosted.org",
+        "g.live.com",
+        "*.zulipchat.com",
+        "graph.microsoft.com") and 
+        
    /* Insert noisy false positives here */
    not (
      (